The 2025 State of Crypto Agility Report: How organizations are preparing for post-quantum cryptography
Sectigo and global research firm Omdia collaborated to produce the 2025 State of Crypto Agility Report. This blog breaks down the key findings, laying out the survey results from C-level, vice president, and director-level leaders in IT, technical operations, cybersecurity, and risk departments across the world to understand how organizations are preparing and where they are underprepared for post-quantum cryptography.
Table of Contents
- What is crypto agility and why does it matter?
- The shrinking certificate lifespan: the first wake-up call in prioritizing crypto agility
- Why manual certificate management is a risk you can’t afford
- Crypto agility starts with automation
- The quantum threat is on our doorstep
- Closing the gap with a Cryptographic Center of Excellence (CCOE)
- The path forward
For the first time in modern computing history, the cryptography that underpins global digital security must be ripped out and replaced. What was once a far-off prediction has now turned into a fast-approaching reality. The 2025 State of Crypto Agility Report, conducted by Sectigo in partnership with Omdia, provides the clearest snapshot yet of where organizations stand in the face of this seismic shift.
From shrinking certificate lifespans to the looming threat of quantum computing, businesses are facing a high-stakes transformation in how they manage and secure their cryptographic infrastructure. The takeaway is clear: Crypto-agility must become a business imperative in order to survive this new age.
What is crypto agility and why does it matter?
Crypto agility is the ability to rapidly find, manage, replace, and adapt cryptographic assets, including certificates and encryption algorithms, in response to evolving security threats.
Two urgent forces are colliding to make crypto agility a must-have:
- Shorter SSL/TLS certificate lifespans, set to drop from today’s 398 days to just 47 days by 2029.
- The migration to post-quantum cryptography by 2030.
The combination of the two demands a new approach: one where automation, visibility, and continuous cryptographic adaptation are built into your organization’s security fabric. The suggested approach: automated certificate lifecycle management (CLM).
The shrinking certificate lifespan: the first wake-up call in prioritizing crypto agility
Starting March 15, 2026, the maximum allowed term for public SSL/TLS certificates will drop to 200 days, putting them on a 6-month renewal cadence, and by 2029 it will drop to just 47 days, meant for a monthly renewal schedule. This means:
- 12x more renewals
- 12x more work
- 12x the risk of triggering outages
Deadline | Max Public TLS Lifespan | Renewal Cadence | Maximum DCV Reuse Period |
March 15, 2026 | 200 Days | 6 Months | 200 Days |
March 15, 2027 | 100 Days | 3 Months | 100 Days |
March 15, 2029 | 47 Days | 1 Month | 10 Days |
According to the report:
- 96% of organizations are concerned about the impact of shorter certificate term on their business.
- Less than 1 in 5 organizations (19%) feel prepared to handle monthly renewals.
- Only 28% have a complete inventory of certificates.
- And just 13% are confident they can track rogue or shadow certificates.
The operational math is daunting: 12x more renewals, 12x more risk, and 12x more work by 2029, unless automation is in place.
Why manual certificate management is a risk you can’t afford
As certificate validity windows shrink, the burden on IT and security teams grows exponentially. The report reveals:
- Only 53% of organizations automate certificate renewal.
- One third (33%) of businesses automate certificate deployment, leaving the other two thirds deploying certificates manually. A mere 32% automate domain control validation (DCV).
That means most organizations still rely on manual methods, a dangerous gamble in a world where even a single expired certificate can cause outages, compliance failures, and lost revenue.
Crypto agility starts with automation
One of the report’s most encouraging insights is that 90% of organizations recognize the work required to prepare for shorter certificate lifespans directly overlaps with PQC readiness. That means investing in automation and certificate lifecycle management today – the foundational blocks of certificate agility – helps build a strong foundation for crypto agility tomorrow.
Yet despite understanding this correlation between both certificate agility and achieving crypto agility, organizations remain stalled in moving forward
- Only 5% of organizations have fully automated certificate management.
- 57% say competing roadmap priorities are a significant or critical obstacle to automation adoption.
- A staggering 95% remain at least partially dependent on manual processes as they are planning to increase automation or still evaluating their approach.
This signals a dangerous disconnect between awareness and actual execution.
The quantum threat is on our doorstep
Certificate deadlines are on our doorstep, and for good reason. Quantum computing presents a host of concerns for digital security today, even though it may appear to be a few years off.
Quantum machines could decrypt today’s encrypted data within years, and attackers know it. That’s why Harvest Now, Decrypt Later (HNDL) attacks, where threat actors store encrypted data now for future decryption, are already underway. Once mature, quantum machines will be able to break RSA and ECC, the algorithms that protect the vast majority of today’s digital data. NIST plans to deprecate both in 2030, with full disallowance by 2035.
- 60% of organizations are “very or extremely concerned” about HNDL attacks.
- 92% expect to increase investment in post-quantum cryptography (PQC) within 2–3 years.
- Yet only 14% have conducted a full assessment of quantum-vulnerable systems.
The risk is real, and the clock is ticking.
Y2K vs. Q-Day
Often compared to Y2K, quantum computing is not a topic to be taken lightly. The transition to post-quantum cryptography (PQC) mirrors the Y2K challenge in that both require proactive, enterprise-wide coordination to address a looming, systemic technology shift. Just as Y2K demanded a thorough review of code, systems, and dependencies to avoid critical failures, PQC calls for a complete operational transformation that reaches every layer of the organization, from infrastructure and tooling to governance and cross-team collaboration.
Swapping algorithms isn’t enough; enterprises must rethink how cryptography is integrated, managed, and scaled, with priorities like integration with existing platforms (58%), ease of implementation (55%), and automation options (49%). In both cases, success hinges on treating the change as a shared responsibility across IT, security, and business leadership, approaching it through deliberate, coordinated steps rather than last-minute fixes.
The lesson from Y2K is clear: those who invest early in visibility, automation, and collaboration will navigate PQC with resilience, while those who delay risk being unprepared when the need becomes urgent.
Y2K | Q-Day | |
Target date | Well-known January 1, 2000 | Unknown, estimated 2030 |
Threat duration | Finite: no pre-Y2K threat, ended within months | Ongoing: active attacks now, threats ongoing past Q-day |
System impact | Limited: application, data updates | Broad: all interconnected systems, networks, applications and data infrastructure |
Advanced implementation timeline | 6-12 months in advance | Years in advance |
Remedy level of effort | 100s billions of dollars, millions of labor hours | Completely unknown |
Closing the gap with a Cryptographic Center of Excellence (CCOE)
The report calls out the need for a centralized response to crypto modernization. As complexity rises, organizations will need to establish Centers of Cryptographic Excellence to coordinate across teams, tools, and infrastructure.
According to Gartner, organizations with CryptoCOE by 2028 will save 50% in PQC transition costs compared to those without one. Without a centralized strategy, crypto transformation risks becoming fragmented, chaotic, and ineffective.
The path forward
The message from the State of Crypto Agility Report is clear:
- Deadlines are fast approaching, and manual certificate management won’t scale when renewal cadences start shrinking.
- PQC is a strategic priority now, not in the future.
- Automation is the single most effective way to reduce risk, cost, and complexity.
Crypto agility is a journey, but the first step is non-negotiable: Automate today. Doing so will not only prepare your organization for the 47-day certificate future, but also build the resilience you’ll need to survive the quantum era.
Want the full data, insights, and recommendations?
Learn how organizations are preparing (and where they’re falling short) on crypto agility, certificate management, and PQC readiness.
Additional resources
Explore the State of Crypto Agility report findings in-depth with the following additional resources:
• Webinar: State of Crypto Agility (PQC focus), September 2, 2025. Register here.
• Webinar: State of Crypto Agility (certificate focus), September 30, 2025. Register here.
• Podcast: Root Causes 520: How prepared are IT teams for 47-day certificates?
• Podcast: Root Causes 521: How Prepared Are Enterprises for PQC? (Part 1)
• Podcast: Root Causes 522: How Prepared Are Enterprises for PQC? (Part 2)
• Press release: Available here.